[sudo-users] uid switching vs resource limits

Teodor Milkov tm at del.bg
Fri Jun 12 01:47:49 MDT 2015


I found that current version of sudo that's included in Debian 8 Jessie 
(1.8.10p3-1+deb8u2) has different behavior compared to the one in Debian 
7 Wheezy  (1.8.5p2-1+nmu2) in regard to resource limits.

In 1.8.5 resource limits were not enforced during privilege switching:

  $ sudo -V
  Sudo version 1.8.5p2
  Sudoers policy plugin version 1.8.5p2
  Sudoers file grammar version 41
  Sudoers I/O plugin version 1.8.5p2

  $ ulimit -u 50
$ ulimit -u

  $ sudo bash -c "ulimit -u"

  $ sudo bash -c "sh -c ulimit -u"

In 1.8.10 resource limits are retained:

  $ sudo --version
  Sudo version 1.8.10p3
  Sudoers policy plugin version 1.8.10p3
  Sudoers file grammar version 43
  Sudoers I/O plugin version 1.8.10p3

  $ ulimit -u 50
  $ ulimit -u

  $ sudo bash -c "ulimit -u"
  sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes

What is the recommended way to get the old behavior?

I looked through the man pages, but didn't find the answer. Also glanced 
quickly over the code and there's some relevand handling in src/sudo.c:

      * Unlimit the number of processes since Linux's setuid() will
      * return EAGAIN if RLIMIT_NPROC would be exceeded by the uid switch.

     if (setresuid(details->uid, details->euid, details->euid) != 0) {
     warning(U_("unable to change to runas uid (%u, %u)"), details->uid,
     goto done;
#elif defined(HAVE_SETREUID)
+---  5 lines: if (setreuid(details->uid, details->euid) != 0) 
+---  5 lines: if (seteuid(details->euid) != 0 || setuid(details->euid) 
!= 0) {-

     /* Restore previous value of RLIMIT_NPROC. */

But it seems uid switching is going via completely different code path 
(plugins/sudoers/set_perms.c) in the newer sudo?

Best regards,

More information about the sudo-users mailing list